View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0002061 | libmicrohttpd | digest authentication (HTTP) | public | 2012-01-06 16:26 | 2012-01-23 14:21 |
Reporter | tclaveirole | Assigned To | Christian Grothoff | ||
Priority | normal | Severity | minor | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Product Version | 0.9.17 | ||||
Target Version | 0.9.18 | Fixed in Version | 0.9.18 | ||
Summary | 0002061: digest authentication expect nonce count in base 10, RFC says base is 16 | ||||
Description | Hello, I found a bug with libmicrohttpd's digest authentication. In digestauth.c, line 554, in MHD_digest_auth_check(), the call to strtoul() uses base 10 to parse the nonce counter value from the HTTP Authorization header (nc=...). However, RFC 2617 states one should use base 16 (section 3.2.2, The Authorization Request Header). This is clear from the grammar, and the description for nonce-count clearly states: "The nc-value is the hexadecimal count of the number of requests [...]" I did some tests using libcurl, and libcurl indeed uses hexadecimal values. When the counter reaches 10, valid authentication requests get rejected because MHD_digest_auth_check() cannot parse the nonce counter correctly (the value being 0000000a, and not 00000010). | ||||
Steps To Reproduce | Setup a minimalist HTTP server with digest authentication using libmicrohttpd. Make ten valid requests to the server using the same nonce (thus increasing the nonce counter from 1 to 10). Even though it is valid, the server replies to the last request with 401 Unauthorized. | ||||
Additional Information | Attached is a (trivial) patch to solve the issue. | ||||
Tags | No tags attached. | ||||
Attached Files | base16-nonce-counter.patch (557 bytes)
Index: src/daemon/digestauth.c =================================================================== --- src/daemon/digestauth.c (revision 19034) +++ src/daemon/digestauth.c (working copy) @@ -551,7 +551,7 @@ (0 == lookup_sub_value(nc, sizeof (nc), header, "nc")) || (0 == lookup_sub_value(response, sizeof (response), header, "response")) ) return MHD_NO; - nci = strtoul (nc, &end, 10); + nci = strtoul (nc, &end, 16); if ( ('\0' != *end) || ( (LONG_MAX == nci) && (errno == ERANGE) ) ) return MHD_NO; /* invalid nonce */ | ||||
Date Modified | Username | Field | Change |
---|---|---|---|
2012-01-06 16:26 | tclaveirole | New Issue | |
2012-01-06 16:26 | tclaveirole | File Added: base16-nonce-counter.patch | |
2012-01-07 14:37 | Christian Grothoff | Assigned To | => Christian Grothoff |
2012-01-07 14:37 | Christian Grothoff | Status | new => assigned |
2012-01-07 17:33 | Christian Grothoff | Note Added: 0005252 | |
2012-01-07 17:33 | Christian Grothoff | Status | assigned => resolved |
2012-01-07 17:33 | Christian Grothoff | Fixed in Version | => 0.9.18 |
2012-01-07 17:33 | Christian Grothoff | Resolution | open => fixed |
2012-01-07 17:47 | Christian Grothoff | Target Version | => 0.9.18 |
2012-01-23 14:21 | Christian Grothoff | Status | resolved => closed |
2013-05-06 12:52 | Christian Grothoff | Category | digest authentication => digest authentication (HTTP) |